QNAP security advisory for Roon Server

Folks have you seen this security issue? Vulnerability in Roon Server - Security Advisory | QNAP

The QNAP security team has detected an attack campaign in the wild related to a vulnerability in Roon Server. QNAP NAS running the following versions of Roon Server may be susceptible to attack:

Roon Server 2021-02-01 and earlier

@danny are you guys @roonlabs aware about this? I’m bit worried seeing attack campaign is already ongoing… I hope roonserver hidden behind NAT is adequate protection as there are no details about attack vector…

1 Like

I took the liberty to fix your title, hope it’s OK.

As long as you’re firewalled, you should be ok. You’re right that any vulnerability is concerning, moreso on NAS devices.

Just received from QNAP…

Vulnerability in Roon Server

  • Release date: May 14, 2021
  • Security ID: QSA-21-17
  • Affected products: QNAP NAS running Roon Server
  • Status: Investigating

Summary

The QNAP security team has detected an attack campaign in the wild related to a vulnerability in Roon Server. QNAP NAS running the following versions of Roon Server may be susceptible to attack:

  • Roon Server 2021-02-01 and earlier

We have already notified Roon Labs of the issue and are thoroughly investigating the case. We will release security updates and provide further information as soon as possible.

Recommendation

QNAP recommends users not to expose their NAS to the internet. Before a security update is available from Roon Labs, we also recommend disabling Roon Server to prevent potential attacks.

Disabling Roon Server

  1. Log on to QTS as administrator.
  2. Open the App Center and then click .
    A search box appears.
  3. Type “Roon Server” and then press ENTER.
    Roon Server appears in the search results.
  4. Click the arrow below the Roon Server icon.
  5. Select Stop.
    The application is disabled.
1 Like

yes, sure no problem with title, thx

1 Like

Hopefully we will receive some confirmation or reassurance ASAP.

Last week I got all my data encrypted because of another vulnerability on the Qnap Nas.
The hacker asked about 1350€ to decrypt my data… luckily I had almost everything backed up, only some files got lost.

It’s really not a pleasant feeling…it’s like someone enter in your house.

I disabled Nas access from external and not using openvpn/qvpn anymore.

Let’s see now…

2 Likes

The instructions from QNAP were simple enough…change port number for remote access to the QNAP, and change login/password away from admin…and update all apps to latest versions. There’s also a fairly simple SSH check on whether the 7z ransomware is actually on the system and how to find the unlock code…

1 Like

I saw this advisory today too - QNAP has had a lot of various ransomware attacks against their NAS devices this past year so be sure your software/firmware is up to date.

My question is, while QNAP discovered active exploitation and reported the vulnerability to Roon, its possible the vuln in Roon Server is not a QNAP only issue, as the language does not state that explicitly.

I would love for Roon to chime in (or please let me know if there is a statement/vulnerability note they’ve published) on the issue so non-QNAP device users like myself can decide if our servers are also vulnerable.

For now I’ve shut down my server and am standing by.

This vulnerability is not caused by Roon Server.
It was caused by me and is located in the web interface of the QNAP Roon Server app.
I am working on it right now.

25 Likes

Thank you for the quick reply Christopher!

1 Like

Any related thread on Synology?

The Synology Diskstations do not have this web interface. Due to that, there is no related threat on diskstations.

1 Like

Refer to https://www.bleepingcomputer.com/news/security/qnap-warns-of-ech0raix-ransomware-attacks-roon-server-zero-day/

1 Like

*** BEWARE ***
Hit by eCh0raix last week on my QNAP NAS. Roon was the security hole. QNAP has removed Roon from their App Center for the time being. Bought the NAS for Roon specifically so I hope Roon gets with the times very soon. Pretty bush-league in this day and age…

I got this notification from QNAP yesterday in my inbox. Is this the same issue?

I stopped Roon from running but same here, I bought my QNAP to run Roon and store my music library.

Hello everyone,
I have also been hit by eCh0raix last week. I managed to format everything and restore a previous backup.

Unfortunately now I cannot use Roon anymore on my QNAP. The application disappeared from the app center of QNAP.

@crieke do you know if it will be released anytime soon or should I think about other solutions?

Thanks for your efforts, really appreciated.

1 Like

Same here, no application in the App Center anymore. @crieke please?

I understand how a web interface could have a vulnerability, but how did this happen? Did the victims here have their QNAP server exposed to the outside world either through UPnP or port forwarding?

The app has been taken down, until a fix is available.
I have sent a new build with a quickfix to the issue (described in their email) yesterday and added further improvements today (announced by mail, but no build sent yet). I hope to get feedback to the changes on monday. They will probably (for good reasons) check the build before putting it back in their App Center.

9 Likes

Many thanks.

I also do not expose my NAS to the outside world. But the main error was in the webinterface and this should not have happened. :frowning:

3 Likes